Understanding the SAML between Workspace ONE Access and Horizon

When you integrate Workspace ONE Access with Horizon you can take advantage of the Unified Digital Workspace as well as the conditional access capabilities including 3rd Party IDP Integration, Risk, and Mult-Factor Authentication.  In this blog, I’m going to walk through the SAML flow because it might be a little different than what you’ve typically seen before.

In this example, I’m going to assume that Azure AD is configured as a 3rd Party IDP inside of Workspace ONE Access.

At a high level, here is authentication flow:

Let’s walk through this flow in more detail:

Azure Authentication

This part of the authentication flow is pretty standard.  When you go to Workspace ONE Access, the default policy will automatically trigger an HTTPS POST to https://login.microsoftonline.com

Once you authenticate on the Azure AD side, Azure will send a response back to Workspace ONE Access with the correct value in the NameID:

Depending on your mapping configuration in the 3rd Party IDP configuration, the subject will be mapped accordingly to match the user in Workspace ONE Access.

SAML from Workspace ONE Access to the Horizon Connection Server

When you access a virtual application from Workspace ONE Access, you can apply conditional access policies such as MFA or Risk before attempting to access the virtual resource. We won’t go into that specifically in this blog. For now, we’ll focus on the SAML.

When working with SAML, we typically use the HTTP Redirect or HTTP POST Bindings.

The important thing to understand with the HTTP Redirect and HTTP Post bindings is that all communication is between the client and the identity provider or the client and the service provider. There is no communication between the service provider and the identity provider.

The Workspace ONE Access and Horizon Integration uses a SAML Artifact Exchange. You rarely see SAML Artifact anymore. It was typically used for one of two reasons: 1) There is a large amount of information contained in the response 2) You are sending sensitive information in the response and you don’t want this information passed in browser headers. A SAML Artifact exchange will look something like this:

This is an important distinction because now you need to make sure that your Horizon Connection server can talk to the Workspace ONE Access service. I’ll cover outbound proxy servers later. When Workspace ONE Access Launches the Virtual Desktop, it will include a “SAMLArt” in the GET request:
GET
https://horizonserver/portal/webclient/index.html?desktopId=cn%3Dconnectorservers,ou%3Dapplications,dc%3Dvdi,dc%3Dvmware,dc%3Dint&desktopName=My%20Desktop&SAMLart=AAQAACUBQH%2BucnN6nZeiM03zpgBLxMcNbptQk3PSGzRXn2szAqtB5lxctWo%3D&user=steve&domainName=1dsavm.com&horizonId=1a3f9d62-a288-40ee-80dd-18479df96693&spID=719fc36f-3643-3c2b-9591-aecd5fbccda4
Once the Horizon Connection server receives this request, it will make an outbound call directly to the Workspace ONE Access SAML Artifact Resolver:
POST https://dsas.vmwareidentity.com/SAAS/auth/saml/artifact/resolve HTTP/1.1

You can see in the above code snippet that the SAML Artifact is included in the SOAP request sent from Horizon to Workspace ONE Access.

The response from Workspace ONE Access will be different depending on whether True SSO is enabled:

It will send the UPN in the NameID:

Along with the requested Virtual Resource:

If True SSO is not enabled, the Horizon Connection Server will require the password for the user. This password is communicated as an encrypted attribute:

Given the potential for sensitive data being sent from Workspace ONE Access to Horizon, it makes sense that the SAML Artifact Binding was chosen.

Configuring a Proxy Server in the Horizon Connection Server for Workspace ONE Access

If your Horizon Connection server requires an outbound proxy, you will need to use ADSI Edit to configure the proxy server.

  1. Using the Server Manager, launch ADSI Edit from the tools menu
  1. In the Connection Settings: Enter: “dc=vdi,dc=vmware,dc=int” for the Connection Point and “localhost:389” for the server.
  1. Expand “OU=Properties”
  2. Expand “OU=Global”
  3. Open “CN=Common”
  1. Edit the values for the entries “pae-SAMLProxyName” and “pae-SAMLProxyPort.”
  1. Click OK
  2. Restart the Connection Server


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s